Google Cloud Deploy service accounts

This document describes service accounts that are used to run Google Cloud Deploy and to call Google Cloud Deploy to run various operations.

Google Cloud Deploy uses two service accounts:

  • The Google Cloud Deploy service agent

    Google Cloud Deploy uses this service account to interact with your project. You can't replace this service agent with an alternate service account, but you can edit permissions on it, for example when you're using resources outside of the project (such as a service account or a private Cloud Build worker pool).

  • The Google Cloud Deploy execution service account

    Google Cloud Deploy uses this service account to execute render and deploy operations in Cloud Build. This account needs permissions sufficient to read from and write to the Cloud Storage bucket and to access deployment targets.

    The default service account for execution is the default Compute Engine service account. You can specify an alternate service account in the target configuration.

See Creating and managing service accounts for instructions on how to edit service-account permissions and how to create an alternate service account.

Google Cloud Deploy service agent

The Google Cloud Deploy service agent is a service account that Google Cloud Deploy uses to interact with other Google Cloud services Google Cloud Deploy relies on. These services include Cloud Build, Pub/Sub, and Cloud Audit Logs.

The name of this service account follows this pattern:

service-<project-number>@gcp-sa-clouddeploy.iam.gserviceaccount.com

You can't replace the service agent with an alternate service account. But you might need to add permissions, for example to allow access to a private pool in another project, configured as part of an execution environment.

Google Cloud Deploy execution service account

By default, Google Cloud Deploy runs using the default Compute Engine service account. That service account has sufficient permissions in the project that contains it to render manifests and deploy to your targets.

The name of this service account follows this pattern:

[project-number]-compute@developer.gserviceaccount.com

This default service account has broad permissions. The best practice is to change your execution environment so that Google Cloud Deploy runs as a different service account. You can change the execution service account for each target using the executionConfigs.privatePool.serviceAccount property or the executionConfigs.defaultPool.serviceAccount property in the target definition.

Any service account you set for these properties must have the roles/clouddeploy.jobRunner role in the Cloud Deploy project. The default service account has this permission.

What service accounts to create

If you choose not to use the default execution service account for rendering and deploying, you need to create one or more alternate service accounts to use. These are service accounts that Google Cloud Deploy runs as, and they're configured in the target configuration.

One reason to create more than one would be to have a specific service account or accounts for deploying to restricted targets, like a production target.

One possible approach is to use separate service accounts per delivery pipeline. Each such service account would include roles with sufficient permissions to render and to deploy.

Required permissions

  • The service account used for rendering configurations must have sufficient permissions to access the Cloud Storage bucket where your Google Cloud Deploy resources are stored (delivery pipelines, releases, rollouts).

    The role roles/clouddeploy.jobRunner includes all permissions the render service account (privatePool or defaultPool) needs.

  • The service account used for deploying must have sufficient permissions to deploy to the target cluster, and permission to access the Cloud Storage bucket.

  • The service account that calls Google Cloud Deploy to create a release must have the clouddeploy.releaser role. It must also have the iam.serviceAccount.actAs permission to use the service account that renders manifests (for example through the roles/iam.serviceAccountUser role).

  • The service account that calls Google Cloud Deploy to promote a release or create a rollout must have the iam.serviceAccount.actAs permission to use the service account that deploys to targets.

What's next